Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Sigma rule (View on GitHub)
1title: Defrag Deactivation - Security
2id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
3related:
4 - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
5 type: derived
6status: test
7description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
8references:
9 - https://securelist.com/apt-slingshot/84312/
10author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
11date: 2019/03/04
12modified: 2022/11/27
13tags:
14 - attack.persistence
15 - attack.t1053
16 - attack.s0111
17 - detection.emerging_threats
18logsource:
19 product: windows
20 service: security
21 definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
22detection:
23 selection:
24 EventID: 4701
25 TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
While analyzing some memory dumps suspicious of being infected with a keylogger, we identified a library containing strings to interact with a virtual file system. This turned out to be a malicious loader internally named “Slingshot”.
Read More
Related rules
- Defrag Deactivation
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- Potential ACTINIUM Persistence Activity
- COLDSTEEL Persistence Service Creation